Skip to main content

Security Overview

How Docket protects your data.

Security Model

Docket is designed with security as a core principle:

FeatureProtection
At RestAES-256 encryption for all user data
In MemoryKeys wiped on lock or USB disconnect
In TransitLocal inference — data never leaves device
PasswordArgon2id key derivation (memory-hard)

What's Protected

When encryption is enabled:

DataStorageProtection
Chat messagesSQLite databaseSQLCipher encryption
API keysDatabaseSQLCipher encryption
User filesIndividual filesAES-256-GCM per-file
File metadataDatabaseSQLCipher encryption
Chat imagesIndividual filesAES-256-GCM per-file
Settings presetsDatabaseSQLCipher encryption

What's Not Encrypted

Some data is intentionally unencrypted:

DataReason
AI modelsToo large, can be re-downloaded
App preferencesUI settings only (theme, etc.)
Model registryNon-sensitive metadata
Exported filesIntentionally unencrypted for sharing

Encryption Modes

  • All sensitive data encrypted with your password
  • Vault must be unlocked to access data
  • USB disconnect automatically locks vault
  • Strongest protection for your data

Unencrypted Mode

  • Data stored in plaintext
  • No password required
  • Convenient for non-sensitive use cases
  • Faster performance (no encryption overhead)

You can switch between modes at any time in Settings.

Key Security Features

Offline-First

Local AI models work without internet. Your conversations:

  • Never leave your device
  • Are not sent to cloud servers
  • Remain completely private

Network Control

A global toggle controls all network access:

  • Off (default) — No external connections
  • On — Enables API models and downloads

Automatic Lock

Your vault is automatically locked when:

  • You click the lock button
  • The USB drive is disconnected
  • The app is closed

Memory Protection

When locked:

  • Encryption keys are wiped from memory
  • Decrypted content is cleared from the interface
  • All sessions are invalidated

Learn More